onelittlewindow

Just a reminder, the August OWASP DC meeting is this evening.

OWASP DC
Wednesday August 20th 6:30 PM

Deloitte and Touche
1001 G St NW Washington DC 20001

come join us!

Back from Vegas, and this month’s meetups are looming.

OWASP DC
Wednesday August 20th 6:30 PM

Deloitte and Touche
1001 G St NW Washington DC 20001

This month, our agenda is as follows:

• Introduction to OWASP, Rex Booth
• The Big Picture: Web Risks and Assessments Beyond Scanning, Matt Fisher
• Security Conference Review: Black Hat & DefCon (group discussion)
• Open floor

Matt’s talk will focus on the need to risk and threat model software and pick appropriate peoples, tools, and testing techniques to test against the threat model. In today’s resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.

Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026.

Ostensibly, Refresh DC will be meeting on the 21st of this month, but no announcement has been made  yet.

CapSecDC
Wednesday August 27th, 7:00 PM

Stetson’s
1610 U St NW
Washington DC 20009

Our monthly happy hour where we talk about everything under the sun. I’m sure this month will yield some follow-up from Vegas, and other things on the horizon. Last week, we headed down U street after a while, and dropped by DC9 for the later part of the evening.

Come join us at one or all!

This weekend, controversy surrounds the black hat/defcon security conferences once again. Students at MIT were slated to present on research on hacking the MTA farecard system (both magnetic stripe and RFID technologies), but a temporary restraining order granted this morning by a Boston judge has caused the cancellation of the talk.

There have been several different cases of legal threats shutting down talks in the past few years — in fact, it almost seems a mandatory event every year now. However, RFID seems to have attracted it disproportionately now, with IOActive having been forced to pull a talk in a previous year as well.

I’ll leave the details of this case to the reader’s google-fu right now (google news defcon, you’ll get plenty). But we put forward this question:

Why are the lawsuits brought against the researcher who uncovers the flaw in a system, rather than the vendors who provide the flawed system?

Most of the issues with RFID are already widely known, and the execution of the “exploits” are a matter of clever people utilizing cheaply available resources. Trying to repress their findings does nothing to truly protect the systems — all it does is mean that another clever person, who may mean more harm and less good, will come along shortly and do it again.

Perhaps some day organizations and government will evolve from having to place blame first and foremost. But until then, perhaps the blame should go on the group that created the problem, as opposed to the person who revealed there was one.

I’d like to thank the people of Defcon and all of the attendees who came to my talk for the oppertunity to speak today.  I have uploaded my Defcon 16 Presentation to the blog for your viewing enjoyment.  The code has been uploaded to http://code.google.com/p/modscan/.

Looking forward to the rest of con.  I’m sure we’ll write more later.

Like many others of similar interests, we’ll be out in Vegas for most of this week/weekend, for Black Hat, DEFCON, and LifeCycle Security.

Mark is presenting at DEFCON this year, if you’re in town, stop by and see his talk, it’s scheduled for Friday at noon in the Track 3 room. We’ll also be at the OWASP/WASC party at Caesar’s on Wednesday night, and I’ll be haunting mostly the two appsec tracks during the days at BH.

Much to my shame, I’ve gotten a Twitter account, you can follow me here. I’m getting it as a conference tool, we’ll see how it goes. It will NOT become dumped into a blog anywhere, I have too much respect for the intarwebs to do that.

See you in Vegas!

Just a reminder, CapSec DC is tonight!

CapSecDC
Wednesday July 30th, 7:00 PM

Stetson’s
1610 U St NW
Washington DC 20009

Come chat about Black Hat, Def Con, and other things on the horizon.

Hope to see you there.

I briefly stopped by the headquarters of HacDC to take part in their “Grand Opening” celebration this evening. They’ve been up and running for quite a while, but were having an official kick-off week this week.

It’s an interesting idea, and though I am not much of a hardware hacker type (when I was, it was years ago), I’m very excited about the idea of the community and/or focused effort that could come out of it. On the surface, it’s the “hacker clubhouse” idea — a bunch of people have contributed an amazing amount of stuff into a workspace where people can hang out and work on projects, without having to clutter up their own spaces at home. But talking to some of the folks around, there is a hope to make it into an organization with a larger impact than just a bunch of geeks playing with toys. I’ll be very interested to see how it evolves, and definitely look forward to talking to some of the folks I met there again, and seeing what they cook up.

Stop by their website, and give it a look. And, if it interests you, stop by the space. There’s a good chance that when we adjourn CapSec DC this week (reminder, it is THIS Wednesday), we’ll head up to the HacDC space afterwards so that people can get a look at what’s going on.

For those who did (or didn’t) attend the July OWASP meeting, I’ve posted the latest version of the presentation here:

webappsec-101-owasp-jul-08

One of these days we’ll actually get a recording of the presentation, as the demos are not in the PDF.

Just a reminder — THIS EVENING!!

OWASP DC July 2008 — July 23rd 6:30 PM

Grant Thorton
333 John Carlyle St
Alexandria, VA 22314

Mark is actually in the field this week, so he’ll be joining remotely (hopefully!). Doug will be presenting a reprise of their previous talk, “Web Application Security (and why it matters to you)” and then welcoming discussion of whatever topics attendees want to discuss.

Grant Thorton will be providing refreshments.

Two events we’ll be attending next week:

The first OWASP Meeting of the newly re-organized OWASP DC Chapter will be occurring next Wednesday.

OWASP DC July 2008 — July 23rd 6:30 PM

Grant Thorton
333 John Carlyle St
Alexandria, VA 22314

Mark and Doug will be presenting their Web Application Security (and why it matters to you) talk again (due to requests from last time we met in Alexandria) and then welcoming discussion of whatever topics attendees want to discuss. Grant Thorton will be providing refreshments.

Next Thursday, Refresh DC is happening, though they don’t have a location confirmed yet:

Refresh DC July
Thursday, July 24th 7:00 PM – ?

RSVP or just come out — we hope to see you at one of these events.